InvisibleFerret is a Python-based backdoor malware that affects both Windows and Linux endpoints. It is used in targeted campaigns by North Korean threat actors, particularly the notorious Lazarus Group. This malware is deployed through advanced social engineering tactics, often disguised as part of legitimate job recruitment processes. Threat actors impersonate recruiters, luring victims, primarily professionals […]

Persistence techniques refer to methods attackers or malicious software use to maintain access to a compromised endpoint even after reboots, logouts, or other interruptions. These techniques ensure that the malware or unauthorized user remains active and can continue to execute malicious activities without re-exploitation. Common Windows persistence techniques involve modifying startup scripts, abusing scheduled tasks […]

Medusa is a ransomware-as-a-service (RaaS) variant, first observed in June 2021. Its operators and affiliates have impacted over 300 organizations across multiple sectors, including healthcare, education, legal, insurance, technology, and manufacturing. The ransomware is primarily delivered through phishing campaigns and the exploitation of unpatched software vulnerabilities.

Supervisory Control and Data Acquisition (SCADA) systems are essential for monitoring and controlling industrial processes. Rapid SCADA is an open source SCADA platform used for data acquisition, automation, and remote control in industrial and critical infrastructure systems. It can be deployed on Windows or Linux endpoints, making it a flexible solution for different environments. Like […]

Impacket is a collection of Python-based scripts designed for manipulating network protocols and exploiting Windows services. It contains several tools for remote service execution, Kerberos manipulation, Windows credential dumping, packet sniffing, and relay attacks.  Although Red teamers use Impacket for authorized testing, threat actors frequently misuse it for lateral movement, privilege escalation, and data exfiltration […]

The Sosano backdoor emerged in late 2024 as a stealthy malware strain. It was used in a highly targeted campaign against organizations in critical sectors, including aviation, satellite communications, and transportation infrastructure. What sets the Sosano backdoor apart is its use of polyglot files – a rare and sophisticated technique that allows malware to masquerade […]

Cloud native security involves the practices and tools used to protect applications and infrastructures built in cloud-native technologies like microservices, containers, and orchestrators. Continuous monitoring and real-time threat detection are required to identify and mitigate unauthorized activities within cloud-native environments. By observing system behavior at runtime, security tools can detect security violations and respond to […]

Detecting data exfiltration is an important aspect of maintaining cybersecurity, especially when attackers leverage native system tools to evade detection. This technique, known as Living Off the Land (LOTL), involves the misuse of legitimate utilities in the operating system, making malicious activities blend with normal operations. Advanced Persistent Threat (APT) groups commonly use LOTL techniques, […]

Peaklight malware is an information stealer designed to collect sensitive data from compromised endpoints. It is frequently distributed through underground channels and, in some cases, offered as a Malware-as-a-Service (MaaS). Its flexible structure and frequent updates make it a continuously evolving and potent threat, capable of bypassing conventional security measures. Peaklight leverages multiple anti-analysis mechanisms […]

Maintaining the security of containerized environments is an important part of modern IT infrastructure. Vulnerabilities in container images and runtime environments expose organizations to significant risks, which makes proactive vulnerability scanning an essential practice. Trivy is an open source vulnerability scanner designed for containers, filesystems, and software dependencies. It supports a range of targets including […]

Lynx ransomware is a sophisticated malware threat that has been active since mid-2024, with over 20 victims across various industries. It primarily targets Windows operating systems, encrypting files using the Advanced Encryption Standard (AES) with a 128-bit key in CTR mode, and employs double extortion, threatening to leak stolen data. Operated by the Lynx ransomware […]

Organizations face challenges connecting Cyber Threat Intelligence (CTI) and Digital Forensics and Incident Response (DFIR) efforts. Effective collaboration between these domains is necessary for addressing threats proactively and efficiently. Yeti (Your Everyday Threat Intelligence) is an open source Forensics Intelligence platform that helps bridge the gap between CTI and DFIR efforts. It provides DFIR teams […]